Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E

Discussion in 'Cisco' started by jywu1@hotmail.com, Dec 8, 2005.

  1. Guest

    Hello,
    I setup a PIX 515E firewall with three interface: inside
    (192.168.35.5), outside and DMZ (172.30.50.20).
    There is a application server with public ip address on remote site
    connect to PIX DMZ interface.
    The computer of inside network should telnet to the remote server in
    DMZ, and remote server will send printing job back to the printers in
    inside network.
    I have put access-list to permit tcp traffic on port 515 (LPD) and 9100
    on DMZ interface.

    The computers can telnet to remote server without problem. but when
    user request printing, remote server can not send the printing job back
    to the printers of inside network.

    PIX 515E shows:
    %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/729 dst
    inside:192.168.1.158/515
    %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/721 dst
    inside:192.168.1.50/515
    %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/726 dst
    inside:192.168.1.25/515
    %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/727 dst
    inside:192.168.1.39/515
    %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/60585 dst
    inside:192.168.1.114/9100

    (Note: If I replace the PIX firewall by a router, configured network
    routing, no NAT on it, everything working fine).

    A part of PIX 515 configuration is following:

    PIX Version 6.1(3)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security10

    access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731
    192.168.1.0 255.255.255.0 eq lpd
    access-list 110 permit tcp 209.120.100.0 255.255.255.0 192.168.1.0
    255.255.255.0 eq telnet
    access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731
    192.168.1.0 255.255.255.0 eq 9100

    ip address inside 192.168.35.5 255.255.255.0
    ip address dmz 172.30.50.20 255.255.255.248

    nat (inside) 0 192.168.1.0 255.255.255.0 0 0
    nat (intf2) 0 209.120.100.0 255.255.255.0 0 0

    access-group 110 in interface dmz

    route dmz 209.120.100.0 255.255.255.0 172.30.50.17 1
    route inside 192.168.1.0 255.255.255.0 192.168.35.10 1

    I look at the traffic log on PIX firewall, the access-list doesn't seem
    to be applied to DMZ interface, because when I show access-list, the
    hitcount is 0.

    Is it something wrong in my configuration?
    Your help will be appreciated.
    Thank you.
    JY
     
    , Dec 8, 2005
    #1
    1. Advertising

  2. Wil Guest

    Re: Allow printing traffic from DMZ(Lower Security interface) toinside network on PIX 515E

    You will also need a static

    Wil
    my 3¢
     
    Wil, Dec 8, 2005
    #2
    1. Advertising

  3. Wil Guest

    Re: Allow printing traffic from DMZ(Lower Security interface) toinside network on PIX 515E

    Just noticed that you have a nat0 on each interface... PIX isn't a
    router, AFAIK you will always need to nat a lower to a higher.

    Try this:

    ! This allows basic Internet usage
    global (outside) 1 interface
    nat (inside) 1 0 0
    nat (dmz) 1 0 0

    ! This creates a nat from the dmz to the inside
    static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

    happy hunting!

    Wil
    my 3¢
     
    Wil, Dec 8, 2005
    #3
  4. Guest

    Thank you, Wil,
    I'll try "static (inside,dmz) 192.168.1.0 192.168.1.0 netmask
    255.255.255.0"

    Kenny

    Wil Wrote:
    > Just noticed that you have a nat0 on each interface... PIX isn't a
    > router, AFAIK you will always need to nat a lower to a higher.
    >
    > Try this:
    >
    > ! This allows basic Internet usage
    > global (outside) 1 interface
    > nat (inside) 1 0 0
    > nat (dmz) 1 0 0
    >
    > ! This creates a nat from the dmz to the inside
    > static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
    >
    > happy hunting!
    >
    > Wil
    > my 3¢
     
    , Dec 9, 2005
    #4
  5. GI Guest

    GI, Dec 15, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page